I have a simple-xml Splunk dashboard with a base query, and two post-processing queries inheriting from the base. However, when I load the dashboard, it always says "No results found." When I click the "Open in search" button, the results show as expected. Also, when I take out of base search and just throw the entire search into both panels, the charts display as expected. Anyone know what's going on here?
Here's the dashboard xml that isn't working:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<search id="base">
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
</query>
</search>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search base="base">
<query>
search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search base="base">
<query>
search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
However, if I combine the queries and get rid of the base query as seen below, it works:
<dashboard>
<label>Test Dashboard</label>
<description>This is a test</description>
<row>
<panel>
<title>Test chart 1</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=true | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Test chart 2</title>
<chart>
<search>
<query>
index=app sourcetype=tracelog splunk_server_group=prod
eventName=business:Logout
(NOT description="*invalid username or password*")
NOT code="6703" NOT code="6704" NOT "code=8006" NOT "code=6900" NOT "code=6000"
| search success=false AND agent=false | timechart count by errors
</query>
</search>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</dashboard>
Any ideas? Am I missing something here?
... View more